CybSafe’s CEO and founder Oz Alashe unpacks why your colleagues keep missing the point on behavioral risk – and what to do about it

Last week, we talked about traditional security awareness and training, and why it doesn’t work. This time around, it’s all about passwords.
On the whole, people have some questionable password habits which would make any security professional break out in a cold sweat.
Like using weak passwords.
Which they write down.
Never change.
And reuse.
Shudder.
The result? Account compromise. Which could cost your organization tons of money and time.
It’s not that people can’t be bothered to ‘be better’ at password management. It’s just that the human brain just isn’t set up to store and recall heaps of complex passwords. Which is why it pays to outsource the job to invaluable tech like a password manager.
As you may already suspect, adoption of a password manager is a priority. And we should know, we brought together the finest minds to create SebDB, a free database that maps security behaviors to risk outcomes.
Generally, adoption is woefully low. Even though it takes the memory load off people and does them—and your organization—a big favor, most people just don’t want to go through the trouble of setting one up.
And that’s great news for hackers. Because encryption is off-putting to those of the cybercrime persuasion.
Don’t get us wrong, people don’t think they’re doing a great job of password management on their own. Most people probably feel uneasy about their password hygiene. And they want to do better.
So, if you want to influence people to adopt a password manager, you’d better be prepared to dispel some common myths and concerns. Here are some common reasons behind people’s reluctance:
People think it isn’t secure. Security is … kind of the point. People can set up stronger passwords without worrying about forgetting them, and the data is encrypted.
People think it takes ages to set up. Which is sort of funny when you consider how much time people spend recovering their passwords every so often.
People literally don’t even know about password managers. You got us! This one isn’t a myth, but awareness is absolutely a part of the picture.
In 2019, three researchers had an inkling that the key to the successful adoption of a password manager lay in something called self-determination theory.
The theory relies on three basic human needs: autonomy (the freedom to make their own choices); competence (feeling confident in one’s ability to carry out a task); and relatedness (a sense of connection with others).
For the study, the researchers developed a platform to influence and measure people’s uptake of password managers based on the theory.
The result? They found the strongest impact on password manager adoption when autonomy and relatedness needs were met. But the study was conducted over a short timeframe, so it could be that measuring competence requires more time.
It’s essential to give people some autonomy. Any password manager worth its salt should be designed to give people a sense of control. Freedom to choose from various options is also key for successful—and sustainable—adoption.
Keep it friendly. Polite, respectful language such as “would you like...” instead of “you have to…” encourages adoption.
Sharing experiences and being able to invite others elicits feelings of relatedness. Receiving referrals from others didn’t undermine autonomy. Instead, it engaged people in a decision-making process where they could follow their own preferences.
Finally, tell people about it! Answer questions, put concerns to rest, and demonstrate how easy it is to set up and use a password manager.
Want to learn more about influencing behaviors? Download our whitepaper on behavior change.